Internal Audit of Enterprise Risk Management

Audit Report
15 July 2014

Table of Contents

• 1. Introduction
• 2. Focus of the Audit
  • Audit Objectives
  • Audit Scope
  • Audit Approach
• 3. Findings, Recommendations and Action Plans
  • Governance and Independence
  • ERM Framework
  • Integration of Risk Information
  • Corporate Risk Profile
  • Synergies
  • Efficiency and Effectiveness
• 4. Conclusions
• Appendix A – Audit Criteria

Mr. Bill Jones
Deputy Commissioner
Canada Revenue Agency
555 MacKenzie Avenue
Ottawa, Ontario K1A 0L5
Canada

16 July 2014

Internal Audit of Enterprise Risk Management

Dear Mr. Jones:

Please find enclosed our internal audit report on enterprise risk management for the Canada Revenue Agency (CRA). The examination phase of this internal audit was conducted between February and April 2014.

This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Internal Auditing Standards for the Government of Canada. This report was prepared for the CRA, and as such any third parties who may wish to make use of it do so entirely at their own risk. The management action plans incorporated in this report reflect management's response to the findings and recommendations from the internal audit, and have not been assessed by EY.

We would like to extend our thanks to the many senior executives and Agency staff who cooperated with us in performing this audit; it was a pleasure working with your team. Please do not hesitate to contact the undersigned if you would like to discuss any aspect of this report.

Sincerely,

Bill Kessels, CPA, CA, CIA
Partner
613-598-4830
bill.kessels@ca.ey.com

1. Introduction

In August 2010, the Treasury Board Secretariat released the Framework for the Management of Risk, which provides guidance to Deputy Heads on the implementation of effective risk management practices at all levels of their organization and will support strategic priority setting and resource allocation, informed decisions with respect to risk tolerance and improved results.

At the Canada Revenue Agency (“CRA” or the “Agency”), the Enterprise Risk Management Division (ERMD) is tasked with assisting the Commissioner of Revenue and Chief Executive Officer (CEO) with implementing effective risk management practices across the Agency. In this capacity, ERMD is responsible for maintaining and enhancing the CRA's enterprise risk management (ERM) framework and for enabling its application throughout the Agency. ERMD's mission is to “support CRA's management and its employees in making informed decisions that consider the risks involved.”

The Division is comprised of two distinct sections:

• The Corporate Risk Management (CRM) section facilitates the use of sound risk intelligence at the enterprise level, specifically through the development of the CRA's corporate risk profile (CRP), and ensuring that the CRP informs the CRA's planning and reporting processes.
• The Risk Management Centre of Expertise (CoE) is responsible for providing the enabling infrastructure on which the CRA can develop its risk management (RM) capacity and capabilities. This includes providing advisory services, delivering training and undertaking research and development to produce risk management methodologies and tools.

Enterprise risk management has been a formal part of the CRA's corporate structure since 2005 when the Assistant Commissioner for the Finance and Administration Branch was named the Chief Risk Officer and the Risk and Emergency Management Division was created in the Security, Risk Management and Internal Affairs Directorate. In 2010, responsibility for enterprise risk management was removed from the Finance and Administration Branch and the Enterprise Risk Management Branch was created taking with it the Chief Risk Officer role. By 2011-2012, the Chief Risk Officer was supported by 21 full-time equivalents (FTEs) and had annual expenditures of $2.0 million to carry out his mandate.

In February 2013, the former Enterprise Risk Management Branch and Corporate Audit and Evaluation Branch merged to create the Audit, Evaluation and Risk Branch (AERB), under the leadership of an Assistant Commissioner and Chief Audit Executive (CAE). By 2013-2014, the Enterprise Risk Management Division within AERB had reduced the FTE count to 15, with annual expenditures of $1.3 million^Footnote1. These 15 FTEs includes two part-time students and one FTE added in 2013-2014 for internal fraud risk assessments.

Due to the recent merger, the internal audit of ERM was carried out by Ernst & Young LLP (EY) to comply with internal audit standards regarding the independence and objectivity of the internal audit team.

2. Focus of the Audit

Audit Objectives

The objective of this audit was to provide assurance to management that the Agency's risk management resources are used efficiently and effectively to identify and manage risks as intended by the mandate of the ERMD.

Audit Scope

The audit assessed the CRA's ERM control framework as at October 2013, as well as improvements underway or planned. This included the following:

• Corporate ERM policy, directives, procedures and aids/tools used for the period from January 1, 2011 to November 1, 2013.
• ERM activities undertaken and resources used by ERMD as well as in Branches and Regions.
• The use of risk information as part of corporate planning and decision-making.
• Communication of risk-related information including, but not limited to, risk related policies/directives/procedures/tools available, the risk management process and the CRP.

The audit excluded the following:

• The Corporate Planning Framework, except as to the integration of ERM into strategic and business planning.
• CRA performance reporting, except as to the integration of risk management reporting, as appropriate.

Audit Approach

A risk assessment based on interviews and documentation review was carried out during audit planning to determine areas for examination. Audit criteria to address the risks were developed and can be found in Appendix A. The examination phase of the audit was conducted between February and April 2014.

Although the audit was carried out to address all audit criteria, this report has been organized according to themes to group common findings.

This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Internal Auditing Standards for the Government of Canada.

3. Findings, Recommendations and Action Plans

Governance and Independence

The mandate of the Board of Management states that the Board is responsible for overseeing the organization and administration of the CRA and the management of the Agency's resources, services, property, personnel and contracts. Specifically, the Board oversees the Corporate Business Plan, the management regime and general administration of the Agency, which includes responsibility for reviewing and approving administrative policies governing corporate resources.

The CRA ERM Policy assigns the Board of Management the responsibility for overseeing risk at the Agency. The ERM Policy also defines the enterprise risk management roles, responsibilities and accountabilities of other Agency stakeholders including the Commissioner and Chief Executive Officer, Assistant Commissioner and Chief Audit Executive, AERB, Director of ERMD, Branch Heads and Regional Assistant Commissioners, executives and managers as well as all CRA employees.

Although not explicitly stated in the Board of Management's mandate, it is evident through interviews with members of the Board that they understand their responsibility for overseeing risk management at the Agency, which is consistent with the authority assigned to the Board in the ERM Policy. The Policy specifies the following Board responsibilities:

• Approving the CRA ERM Policy and any subsequent amendments.
• Overseeing risk management at the Agency level.
• Ensuring that the CRA's risk exposure to enterprise risks is in line with the risk tolerance of the Agency.
• Ensuring that the CRA fosters a sound risk management culture across the Agency.

Members of the Board of Management who were interviewed commented that they are receiving relevant and timely risk information that allowed them to exercise their duties in overseeing the Agency.

Senior stakeholders from across the Agency were also interviewed and indicated that the various roles and responsibilities for risk management including those of the ERMD are well defined, communicated and understood. Senior stakeholders viewed ERMD as proactive in communicating their tools and templates and offering assistance with risk management related consulting services.

As previously noted, the ERMD at the CRA is led by the Assistant Commissioner and Chief Audit Executive, AERB. In reviewing the governance structure in place for ERM, the audit team found that key factors around independence and objectivity were considered prior to the merger of the internal audit and risk functions.

The Institute of Internal Auditors (IIA) guidance states that internal audit should not undertake the following activities:

• Setting the risk appetite.
• Imposing risk management processes.
• Providing management assurance on risks.
• Taking decisions on risk responses.
• Implementing risk response on management's behalf.
• Assuming accountability for risk management.

Review of the ERM Policy, CRP methodology and discussions with senior management support that governance considerations for internal audit independence including roles and responsibilities have been documented and respected and are consistent with activities the IIA deems acceptable. The governance arrangement in place supports effective enterprise risk management by assigning ERMD the responsibility for providing the enabling infrastructure for integrated risk management while ensuring the responsibility for managing risks and making decisions on risk mitigation remains that of management. Particularly, the above noted activities are the responsibility of the Commissioner and Chief Executive Officer and/or the Branch Heads and Regional Assistant Commissioners and not the Assistant Commissioner and Chief Audit Executive, AERB or employees within ERMD.

The audit found the CRA Internal Audit Charter recognizes the importance of independence of the internal audit function by identifying the CAE's responsibilities over the enterprise risk function but notes that it is a corporate information resource with no affiliated operational accountabilities. The Internal Audit Charter highlights the need for any future evaluation or audit of ERM function to be carried out by an external third party, which has been respected through the outsourcing of this internal audit.

Recommendations

None

ERM Framework

The International Organization for Standardization (ISO) 31000 Standards defines a risk management framework as a “set of components that provide the foundations^Footnote2 and organizational arrangements^Footnote3 for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization.”^Footnote4

Treasury Board's Framework for the Management of Risk became effective in August 2010 and highlights six key principles that Deputy Heads are encouraged to apply in their responsibility for managing their organization's risks. Specifically, the Treasury Board Framework assigns responsibility to the Deputy Head for leading the implementation of effective risk management practices, monitoring risk management practices, considering risks that arise when partnering with organizations as well as creating a learning environment that promotes continuous improvement in risk management competencies and capacity. Although the ERM Policy outlines these to be the responsibilities of various stakeholders within the Agency, it was noted that the Policy does not explicitly state that the Commissioner and CEO has delegated their assigned accountabilities and responsibilities from Treasury Board through the ERM Policy.

The Agency does not have a documented ERM framework that outlines all the activities that support enterprise risk management in the organization; however, the key elements of an ERM framework are in place. The ERM framework at the Agency is comprised of the following:

• The ERM Policy that outlines the risk management roles, responsibilities and accountabilities of various stakeholders across the Agency.
• An Assistant Commissioner and Chief Audit Executive, AERB with accountability for providing strategic advice to the Commissioner and CEO, Agency Management Committee (AMC), senior management, and the Board of Management and supporting the effective application of the ERM Policy throughout the Agency. The AC and CAE is supported by a Director of ERMD who is responsible for creating and maintaining the enabling infrastructure for integrated risk management within the organization.
• A defined CRA risk management process that articulates the process for establishing the context, carrying out a risk assessment (identify, analyze, and evaluate), making decisions based on risk information, monitoring and reporting on risks, and ongoing communication and consultation with stakeholders.
• The integration of enterprise risks considerations as part of Resource and Investment Management Committee (RIMC) project proposals that are supported by ERMD review.
• A CRP which presents a consolidated view of the significant risks to the Agency resulting from a risk assessment process that is facilitated by ERMD but led by input from members of the AMC and includes engagement from heads of planning from Branches and Regions. The CRP is also supported by a monitoring process that ensures follow up reporting to the Board on enterprise risk action plans.
• Training on ERM and the CRA risk management process led by ERMD staff to facilitate the development of risk management competencies and capacity across the Agency.
• Risk Alerts that provide continuous communication to Agency employees on activities in the environment that may impact enterprise risk.
• Tools and templates that support the use of a common risk management process across the Agency such as guidance on the risk management process, the risk register template and “how to” guides for developing a risk profile and using the CRP.

The Agency's ERM Policy serves as the foundation for the framework which is supported by risk management procedures, tools, templates, enterprise wide reporting in the form of the CRP and RIMC submissions as well as risk management training. These components are in alignment with Treasury Board's Framework for the Management of Risk and Guide to Integrated Risk Management. In reviewing the CRP and risk management procedures, tools, templates, the audit found that risk tolerance concepts were introduced as part of the 2012-2013 CRP process; however, limited guidance is provided in this area as part of the risk management training course as well as the procedures and tools available on the Agency Intranet (InfoZone) website.

Recommendations

1. The Agency should review the ERM Policy, the Board mandate and other ERM supporting documentation to ensure that accountabilities and responsibilities are clearly articulated, particularly in instances where the Commissioner and CEO has delegated their responsibility for risk management activities to stakeholders across the Agency.

Management Action Plan

ERMD agrees with this recommendation as it regularly reviews and updates the corporate policy instruments for which it is responsible. The last review and update occurred in March 2013. The next review will take into account recommendation # 2. ERMD will also engage with the CCPD of the SIB to ensure roles and responsibilities continue to be aligned with the CRA Board of Management mandate as per the CRA Act, as well as the Treasury Board of Canada Secretariat's Framework for the Management of Risk and Guide to Integrated Risk Management.

2. ERMD should assess the value of formalizing their ERM Framework by documenting a consolidated view of all the activities within the Agency that support the implementation of ERM at the Agency.

Management Action Plan

ERMD agrees with this recommendation and will formalize its existing ERM Framework. ERMD will do this by documenting a consolidated view of the activities that support the implementation of ERM at the Agency by early 2015. The consolidated view will be in the form of a visual representation that will be shared on InfoZone. ERMD will engage the Corporate Committees and Policy Division (CCPD) of the Strategy and Integration Branch (SIB) as the subject matter experts on corporate policy instruments.

3. ERMD should ensure that guidance material on the Agency's Intranet (InfoZone) and communicated to employees through training reflect guidance on how to determine and utilize risk tolerance information.

Management Action Plan

ERMD agrees with this recommendation and has already developed a robust methodology that outlines how risk tolerance can be determined and used. An enhanced communication approach is targeted for spring 2015.

Integration of Risk Information

ERMD's mission is “to support the CRA's management and its employees in making informed decisions that consider the risks involved.” In doing so, ERMD is responsible for creating and maintaining the enabling infrastructure for integrated risk management within the Agency.

In delivering on its mandate, ERMD facilitates the collection and dissemination of enterprise risk information through various mechanisms which include:

• Preparing environmental scans in collaboration with the Strategy and Integration Branch every six months.
• Conducting research to disseminate Risk Alerts monthly as a means to distribute timely information on external environmental changes that link to enterprise risks as identified in the CRP.
• Drafting the portions of the Report on Plans and Priorities (RPP) and Departmental Performance Report (DPR) that relate to the Agency's enterprise risks.
• Leading the development of the CRP which summarizes the Agency's enterprise risks and is distributed to all Assistant Commissioners and accessible to all Agency staff.

These ERMD activities support the organization in building a risk culture where employees have an understanding and awareness of risks that impact the Agency's ability to deliver their mandate. Many stakeholders who were interviewed found the Risk Alerts to be particularly helpful in keeping them abreast of timely environmental changes that impact enterprise risks.

As part of ERMD's mandate to support risk-informed decision making, the Division also aligns the CRP process with corporate and business planning processes and engages key stakeholders as part of the process. The results of the CRP risk assessment process are used to determine whether action plans are required. Risks requiring additional risk mitigation activities are discussed at a risk action plan workshop facilitated by ERMD which occurs in October coinciding with the beginning of the corporate planning process. In facilitating these activities, ERMD is providing expertise in risk management while providing both an independent perspective and evidence based challenge function to ensure that risks identified reflect relevant information in the internal and external environment.

Additionally, the risk identification, risk assessment and the risk action plan workshop occurs with the participation of Assistant Commissioners, stakeholders from the Strategy Integration Branch (responsible for Corporate Planning) and the heads of planning from each Branch and Region. This provides an opportunity for those responsible for planning activities to leverage enterprise risk information during the corporate and business planning process.

The ERMD framework also ensures risk information is integrated into strategic investment proposals at the Agency. All strategic investment proposals are reviewed by the Resource and Investment Management Committee (RIMC). Project proposals must consider factors that include alignment with enterprise risks and the project's risk assessment. This risk assessment is subject to ERMD review and approval to confirm that a systematic risk assessment process has been carried out that is consistent with the CRA risk management methodology.

ERMD's Risk Management Centre of Expertise also provides support services to stakeholders across the Agency to better facilitate the integration of risk information to decision making. Senior management noted that ERMD provides assistance to Branches and Regions with risk assessment guidance and facilitation when requested. This includes risk assessments at the project or process level as well as regional and local office risk assessments.

Discussions with ERMD noted that risk information gathered from their involvement with Branch or Regional risk advisory engagements was not proactively shared with stakeholders across the Agency due to the sensitivity and ownership of the risk information.

Although stakeholders recognized the assistance provided by ERMD, they noted that opportunities remain to better integrate risk information into business planning.

To support the consistent application of risk management across the Agency, ERMD has also provided risk training as either a one day course to Agency staff or as part of MGLP/EGLP training. The concepts covered in the risk training are consistent with the ERM Policy and the guidance and tools on the Agency Intranet (InfoZone) and many of the participants found it to be relevant and useful. However, the risk training material has limited guidance on how to integrate risk information into business planning. It was also noted that the one day training does not target any particular stakeholder group and as a result, individuals taking the course range in both level and scope of work, i.e. Directors, Managers and Team Leads versus Students, Analysts or Officers.

During interviews with ERMD, we noted that ERMD is currently in negotiations with the Canada School of Public Service to transfer the administration and delivery of the risk management course; however, ERMD will continue to be involved in the development of the risk management training content.

Recommendations

4. ERMD should assess whether there are sensitivities around the information gathered from their advisory activities that would prohibit sharing of this information across internal Agency stakeholders. Where possible and appropriate, risk information gathered through ERMD activities should be shared with Agency stakeholders that would benefit from the information.

Management Action Plan

ERMD agrees with this recommendation and will assess on a case-by-case basis and with the client's consent, the information from advisory activities that could be shared with other Agency stakeholders. In addition, ERMD will strive to share systemic risk findings from several advisories with Agency stakeholders and will evaluate the most appropriate forum and medium to do so.

5. ERMD should ensure that the risk management training provided to Agency employees meets the Agency's needs with respect to the use of risk information as part of the business planning and resource allocation process.

Management Action Plan

ERMD agrees with this recommendation and has already developed tools and training to support the Agency's needs with respect to the use of risk information as part of the business planning and resource allocation process. The one-day risk management training course includes “Unit 3: Integrating Risk Management into the Workplace” and is further complemented by the following guidance tools developed by ERMD and already available on InfoZone:

• “How to use the CRP information”
• “How to integrate risk management into planning”

An initiative is underway to transfer the one-day course to the Canada School of Public Service (CSPS). As the CRA will no longer have full authority over future content, discussions are underway with the CSPS to leverage the existing content of the course for integration within the school's risk management curriculum.

6. The Agency should target risk management training to those who, based on their role, would benefit the most from it with consideration given to the participant's level and scope of work.

Management Action Plan

ERMD agrees with this recommendation and currently has a multi-faceted approach for risk management training that targets key audiences, based on their roles, with different products to meet their needs. The suite of training products includes a module within the CRA's Leadership Plus manager training program, a component within the annual Executive/Cadre Learning Program and a one day risk management course.

Where appropriate, ERMD will continue to keep training materials relevant and current for the various audiences through its partnership with HRB and the CSPS, with whom the materials of the one-day risk management course have been shared. ERMD will also continue to use its advisory services and related workload planning as a key source from which individuals or work units tasked with risk management roles can be identified and proactively offered technical assistance to meet their needs.

Corporate Risk Profile

The Agency's CRP identifies and analyzes the enterprise risks that may threaten the achievement of the Agency's mandate and presents the accountabilities for the management of enterprise risks and how these risks are being addressed. The CRP is also a key source of information to assist employees in understanding ERM priorities and applying the principles of sound risk management in to their daily activities.

ERMD has a formal approach for developing the CRP that is consistent with the CRA risk management process and described in the ERM Policy. The process takes into consideration various information sources including an internal and external environmental scan and input on risk information from various stakeholders using a middle-up approach i.e. soliciting managers and Director level resources on risk information.

The 2012-2013 CRP process piloted a risk tolerance approach to assist in streamlining the process by focusing on areas where the residual risk exposure was “in the caution zone” or “above the caution zone” on the risk tolerance scale. This allowed discussions with senior management to focus on ways to address the risks requiring new or further mitigation. As part of the annual CRP process, ERMD also facilitates the process of engaging the Office of Primary Interests (OPI) and Office of Collaborative Interests (OCI) to gather information on the risk action plans for AMC and Board reporting. The June 2013 status update on CRP enterprise risk action plans was facilitated by ERMD. Follow up on enterprise risks found that 20 of the Agency's 30 enterprise risks were subject to mitigation that resulted in 72 individual initiatives. Senior management were adequately following up on risk action plans and reported that of the 72 individual initiatives planned,17 were completed, 36 were on track and 19 were mostly on track. There were no initiatives that were categorized as not on track.

Finally, the annual CRP process concludes with ERMD engaging stakeholders to provide ongoing feedback on areas that worked well and areas that would benefit from enhancement.

The culmination of the CRP process in 2012-2013 resulted in the identification of 30 enterprise risks which were prioritized based on categorizing risk responses into three categories: maintain controls, mitigate – current plan or mitigate – new or enhanced plan. 20 of the 30 enterprise risks were considered priorities and required mitigation. A majority of stakeholders interviewed found the CRP to contain too many risks for it to properly allow them to focus on the key areas that require attention. Additionally, many stakeholders noted that the CRP process continued to require a great deal of time and resources from the Branches and Regions while yielding few new risks.

Recommendation

7. ERMD should consider a streamlined CRP process and CRP reporting that leverages the use of a risk register to document and monitor those risks that do not have risk action plans and limit enterprise risk reporting in the CRP to only those that require action, thereby reducing the number of risks in the CRP. The ERMD prioritization of risks should consider the significance of the gap between residual risk and tolerance.

Management Action Plan

ERMD agrees with this recommendation and will continue to seek opportunities to enhance the CRP development process by streamlining steps and reducing the amount of time required from stakeholders, while ensuring those accountable for managing risks and determining acceptable levels of risk exposure continue to provide input at key decision points. In addition, the CRP report will continue to be simplified where appropriate, extending efforts from recent years that resulted in greater focus on the risks requiring action, as well as a significant reduction in the size of the report.

In 2014-2015, efficiency steps for CRP development and reporting processes include:

• Enhanced collaboration and integration with the corporate business planning function.
• A revised risk assessment approach primarily targeting the perspectives of those directly accountable for managing risks.
• A senior management risk assessment workshop focussed on key risks as recommended by subject matter experts working with ERMD.
• A CRP 2014-2015 report that continues previous enhancements by further focussing reporting on only the key risks requiring attention for the year.
• Alignment and, where appropriate, integration of risk and internal audit action plan reporting in the Spring 2015 follow-up cycle.

Synergies

In 2013 the merger of the internal audit and enterprise risk functions allowed the two to leverage risk information between the functions, and the risk based audit plan (RBAP) process included participation of the Risk Advisory Team Lead as an observer. However, additional opportunities exist to leverage risk and control information among ERMD, Internal Audit Division and Program Evaluation Division. One initiative identified by ERMD as part of their 2013-2016 Strategic Plan is leveraging the internal audit software TeamMate and increasing information sharing between ERMD teams.

ERMD's risk advisory services has developed a workload management approach that considers many key factors in determining the level of support ERMD should provide to clients. This approach considers linkages to: corporate risks, Agency priorities and transformation agenda, scope, fairness of distribution and the client's risk management proficiency. These linkages are utilized as a means to determine where ERMD can provide the highest impact with their expertise. The performance of ERMD's risk advisory services is evaluated using a client satisfaction questionnaire. However, while ERMD is currently developing a performance measurement framework, key performance indicators for the Division are currently informal and without targets.

Recommendations

8. ERMD should review the internal audit, risk management and program evaluation activities to assess whether there are opportunities to further leverage risk and control information between these functions.

Management Action Plan

ERMD agrees with this recommendation and will continue to explore new ways to collaborate with internal audit and program evaluation to leverage risk and controls information. In 2014-2015, ERMD will once again contribute to the development of the risk-based audit and evaluation plan. In addition, the spring 2015 follow-up cycle will align and, where appropriate, integrate risk and internal audit action plan reporting.

9. ERMD should ensure that the Performance Measurement Framework currently being developed for the Division includes key performance indicators and accompanying targets.

Management Action Plan

ERMD agrees with this recommendation and already had an initiative underway to establish a performance measurement framework (PMF) for the Division. The PMF currently being developed will include key performance indicators and accompanying targets. ERMD will also ensure that its PMF aligns with the Branch level PMF. ERMD is targeting implementation of its initial PMF by spring 2015.

Efficiency and Effectiveness

Although the Agency has been practicing risk management since 2005, the creation of a separate ERM Branch in 2010 has facilitated the development of risk management expertise and the establishment of an ERM Program. Many ERM practices have since been formalized and ERM at the Agency has evolved to what can be considered a “mature” state: where the Agency is refining their ERM practices and processes, rather than developing them. It is noteworthy that the CRA's US counterpart, the Internal Revenue Service (IRS), recently appointed a Chief Risk Officer to lead their ERM program similar to the one CRA has in place.

As previously noted ERMD was comprised of 15 FTEs (including 2 students and a fraud risk assessment resource) with expenditures of $1.3 million in 2013-2014 and is responsible for leading the development of the CRP as well as providing risk advisory services, fraud risk assessment and risk training. Currently six FTEs plus a student are devoted to the development and monitoring of the CRP and another six FTEs plus a student focus on providing risk advisory services. These two groups are supervised by a full-time Director. The structure and resources devoted to ERMD have allowed CRA to develop an internal consulting capability and eliminated the need for external risk consultants. This insourcing approach has the added benefit of allowing the CRA to maintain its corporate risk knowledge. The investment of resources specifically in the area of the CRP has facilitated the development of risk management processes and enabling infrastructure.

The ERM function was compared against the risk management functions of three other comparable^Footnote5 federal government departments in order to identify whether ERMD is efficiently utilizing resources to provide its services. Of the three departments, two identified their risk management functions as established and mature, and one as developing. None of the departments maintained internal risk consulting groups, although they all performed some form of ad hoc support when requested by stakeholders. The audit found the number of FTE's devoted to the CRP by ERMD was consistent with the organization that possessed a developing maturing risk management function. The organizations with established and mature functions maintained approximately half the FTE's, reflecting that it requires fewer resources to maintain risk infrastructure than it does to build it. ERMD has completed this build out process and is now poised to refocus its resources on areas that meet the Agency's evolving needs.

Recommendation

10. ERMD should examine opportunities to refocus risk management resources reflecting the move to a mature risk management function.

Management Action Plan

ERMD agrees with this recommendation and has already been moving in this direction to support the high volume and ad-hoc nature of risk management advisory services in the Division. ERMD will seek to expand and formalize its matrix approach currently used, where resources are directed to priority initiatives and engagements based on availability and pressures. To formally support the matrix model and resource optimization, a holistic workplan for the division will be established and monitored for 2014-2015 and future years.

Where appropriate, workloads and related decisions will be aligned to larger strategies and objectives, such as the branch strategic plan and Blueprint2020. Information sources, such as the Strategic Investment Plan and internal audit recommendations, will be leveraged to assist the planning of advisory engagements where the Division can provide maximum value in support of important business initiatives and Agency priorities.

4. Conclusions

The audit found that the Agency's risk management resources have been used efficiently and effectively to identify and manage risks as intended by the mandate of ERMD, considering the fact that risk management has been in the development phase at the Agency. Implementation of the recommendations in this report will help ensure that it continues to do so as a mature risk management function.

Appendix A – Audit Criteria

Criteria 1

1. ERMD is part of an effective governance framework for enterprise risk management. The framework is established, communicated and understood.

Sub-criteria

1.1 An oversight body is in place with responsibility for overseeing risk management at the Agency.

1.2 The Agency has a clearly defined ERM framework that defines the enterprise risk management roles, responsibilities, and accountabilities of various parties within the Agency including management and ERMD.

1.3 ERMD has a clearly defined role within the Agency's overall ERM framework that is communicated and understood by key stakeholders across the organization.

1.4 Clear governance protocols are established that ensure independence of the ERM function from internal audit.

Criteria 2

2. The Agency has in place a defined process for the identification, assessment, management and communication of risks that is aligned with Treasury Board guidance.

Sub-criteria

2.1 The Agency has in place ERM policy, directives and/or procedures that define the processes for identifying, prioritizing, assessing, managing and communicating risks.

2.2 The Agency's ERM policy, directives and/or procedures are aligned with Treasury Board guidance.

2.3 The Agency's ERM policy, directives, procedures and tools are accessible and communicated to those that need to apply it across Branches and Regions.

Criteria 3

3. The ERM policy, directives and/or procedures are functioning as intended to meet the organization's needs.

Sub-criteria

3.1 ERMD facilitates the collection, sharing and escalation, if required, of risk information from Branches and Regions.

3.2 ERMD supports the integration of enterprise risk information into the Agency's corporate planning and reporting process.

3.3 ERMD provides assistance to senior management at the Branch and Regional levels to consider risk information in the resource allocation and decision-making process for strategic and business planning.

3.4 ERMD has developed relevant tools and training programs to provide adequate support and guidance to Branches and Regions for the implementation of risk management practices within their area of responsibility.

Criteria 4

4. The Corporate Risk Profile is developed using an approach that appropriately highlights key risks to the Agency and ensures mitigation strategies are monitored for timely implementation.

Sub-criteria

4.1 ERMD has a formal approach to the development of the CRP that is supported by an environmental scan and takes appropriate internal and external inputs into consideration.

4.2 ERMD's approach to the development of the CRP identifies an appropriate number of risks and provides value by assisting CRA in their planning and prioritization process.

4.3 ERMD develops the CRP and management identifies mitigation strategies to be implemented and monitored.

Criteria 5

5. ERMD is delivering their ERM activities in an efficient manner.

Sub-criteria

5.1 The CRP process, as implemented by ERMD, is aligned with and leverages risk processes across the organization to achieve synergies where possible.

5.2 Risk advisory services from the Risk Management Centre of Expertise within ERMD are deployed in a manner which ensures the most value is achieved for the investment.

5.3 ERMD resources allocated to support ERM are appropriate for the size and complexity of the Agency.